Flash Security Arcus Security GmbH Zürich, 20.8.2014 Introduction Speaker Stefan Horlacher • Founder of Arcus Security o Penetration Testing o Web Application Reviews o Remediation of vulnerabilities o www.arcus-security.ch 2 Agenda Foreword Introduction Sandboxes Local Shared Object Configuration Overview Client Side Configuration Embedding Flash Cross Domain Policies Common Vulnerabilities Questions 3 Foreword This presentation summarises security relevant material from a client side perspective A lot of public knowledge can be found on • Adobe web site • OWASP web site 4 Introduction 5 Introduction SWF pronounced • Swif Dialect of ECMAScript • JavaScript alike ActionScript • 2000 ActionScript 1.0 • 2003 ActionScript 2.0 • 2006 ActionScript 3.0 6 Introduction Purposes • Animations • Games • Rich Internet Applications (RIA) • … 7 Introduction Files and execution environments • Browser Plug-ins o Plays SWF files o Embedded in <object> / <embed> tag o Direct call to the SWF file • Browser Plug-in creates the DOM o Plug-ins use the browser’s SSL / TLS implementation o Byte Code (JIT Compiler) 8 Introduction Files and execution environments • Standalone player o Plays SWF files o SSL / TLS available • Projector o .exe files o Standalone player containing the SWF • Specific version o No SSL / TLS o Creation not supported in Standalone player anymore 9 Introduction Cookies • HttpOnly flag prevents Flash from reading the cookie • Requests send cookies if any are present o HttpOnly flag has no influence in this case 10 Sandboxes 11 Sandboxes local-with-file-system • Access to local resources • Access to UNC network path local-with-networking • Access to network resources local-trusted • Not restricted 12 Sandboxes remote • No access to local file system o Except Local Shared Objects o Except Upload / Download API calls • Have to be called in a mouse or keyboard event 13 Sandboxes SWF loaded locally • Sandbox setting is part of the binary (flag) o local-with-file-system o local-with-networking 14 Sandboxes SWF loaded locally • local-trusted has to be granted by o Installer o Administrator o User o (or Projector files) • Local trusted files are defined in configuration files o Global / User FlashPlayerTrust directory o Or in settings.sol 15 Local Shared Objects 16 Local Shared Objects Also known as Flash Cookies • Used to persist on computer • Private browsing deletes Flash Cookies! o Since Flash Player 10.1 The only type of persistent storage Limited disk space • Default 100KB 17 Local Shared Objects Object encoding is AMF • Actionscript 1.0 / 2.0 o AMF0 • Actionscript 3.0 o AMF3 o Downgrade to AMF0 is possible 18 Local Shared Objects Stored locally in the user’s app data directory • Directory name is #SharedObjects • Path contains a random value (LLWKHP8Z) • Example o C:\users\<user>\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LLWKHP8Z\<domain>\<SWF Name>\<LSO Name>.sol • Local (Standalone player) SWFs contain the sandbox in the path o ..\LLWKHP8Z\#localWithNet\<SWF path> 19 Local Shared Objects SharedObject.getLocal(name, path, secure) • Name of the LSO • Path of the LSO o ‘/’ is equal to the sandbox • Browser => domain name • Standalone player => local sandbox E.g: #localWithNet 20 Local Shared Objects SharedObject.getLocal(name, path, secure) • Path of the LSO o Path has to be part of the URL • www.example.com/files/myswf/path.swf Only access to ‘/’, ‘/files’ and ‘/files/myswf’ • www.example.com/files/anotherswf/path2.swf Has access to /files Doesn’t have access to ‘/files/myswf’ • Without path specification an additional directory is created with name of the SWF ../example.com/files/myswf/path.swf/<LSO Name>.sol 21 Local Shared Objects SharedObject.getLocal(name, path, secure) • Secure o Access to the LSO is only possible if the SWF is served over HTTPS 22 Local Shared Objects Remote Shared Objects exist as well • They require Adobe Flash Media Server • Share data between clients • Share data in real time 23 Configuration Overview 24 Configuration Overview Client Side • Administrative configuration • User configuration Flash Application • Author / Developer Remote • Cross domain policies 25 Client Side Configuration 26 Client Side Configuration mms.cfg (Administrative configuration) • Deployed by an administrator • Enforcing corporate o Security settings o Privacy settings • Location is OS / architecture dependent o E.g. Windows 64 bit: • %WINDIR%\SysWow64\Macromed\Flash 27 Client Side Configuration mms.cfg • Privacy options o AWHardwareDisable o AWHardwareEnabledDomain o DisableDeviceFontEnumeration • User interface options o FullScreenDisabled 28 Client Side Configuration mms.cfg • Data loading and storage options o LocalFileReadDisable o FileDownloadDisable / FileDownloadEnabledDomain o FileUploadDisable / FileUploadEnabledDomain o LocalStorageLimit o ThirdPartyStorage o AssetCacheSize 29 Client Side Configuration mms.cfg • Update Options o AutoUpdateDisable o AutoUpdateInterval o SilentAutoUpdateEnable o SilentAutoUpdateServerDomain o SilentAutoUpdateVerboseLogging o DisableProductDownload o ProductDisabled 30 Client Side Configuration mms.cfg • Security options o LegacyDomainMatching o AllowUserLocalTrust o FullScreenInteractiveDisable 31 Client Side Configuration User Configuration • Deprecated way to configure Flash • http://www.adobe.com/support/ documentation/en/flashplayer/h elp/settings_manager.html 32 Client Side Configuration User Configuration • Display • Privacy o Microphone / Camera • Local Storage • Microphone • Camera 33 Client Side Configuration User Configuration • Also available through the Control Panel 34 Embedding Flash 35 Embedding Flash SWFs can be embedded in different ways • Directly in the HTML • Directly calling the SWF in the browser o This will generate a DOM in the background • JavaScript libraries o E.g.: swfobject 36 Embedding Flash allowScriptAccess • Defines if the SWF is allowed to run scripts in the context of the embedding web site • Values o always (default in older Flash versions) • Regardless of the SWFs location, it is allowed to communicate with the embedding web site o sameDomain (default in newer Flash versions) • SWF may communicate with the embedding web site if they are hosted on the same domain o never (deprecated) 37 Embedding Flash allowNetworking • Defines how the SWF is allowed to make network calls • Values o all (default) • No restrictions o internal • Restricted network calls o none 38 Embedding Flash allowNetworking supersedes allowScriptAccess • E.g.: ‘allowNetworking = none’ makes allowScriptAccess obsolete 39 Embedding Flash DO NOT host an untrusted SWF on a trusted domain • allowScriptAccess and allowNetworking won’t prevent exploitation of vulnerabilities • SWF object may be directly invoked (URL) o The created DOM has the default values for allowScriptAccess and allowNetworking o Therefore, these settings may be bypassed! • Reason why allowScriptAccess = never is deprecated 40 Cross Domain Policies 41 Cross Domain Policies Request / Send on same domain • No policy required Send to foreign domain • GET don’t require a cross domain policy • POST require a cross domain policy o E.g.: sendToURL() method 42 Cross Domain Policies Requests to foreign domains • Require cross domain policy 43 Cross Domain Policies Why do we need a cross domain policy? • Flash would have full access to the foreign domain’s content o Reading sensitive content o Access to the functionality of the application in the context of the current user 44 Cross Domain Policies Cross Domain Request Restrictions • Cross-Protocol-Scripting (XPS) Prevention o Several ports are blocked by default • E.g.: SMPT, telnet • A policy file has to allow access o URL connections need an URL policy file • crossdomain.xml o Socket connections need a socket policy file 45 Cross Domain Policies Same Origin Policy • Prevents active content from accessing resources residing on a different origin o Based on protocol, port and FQDN 46 Cross Domain Policies Same Origin Policy • JavaScript o Has only access to the DOM of the embedding page 1 o Isn’t able to read content from its origin 2 • Exception: Cross Origin Resource Sharing (CORS) 47 Cross Domain Policies Same Origin Policy • ActionScript o Access to the embedding page’s DOM depends on 1 allowScriptAccess / allowNetworking o Is able to read content from its 2 origin • Without requesting a cross domain policy! 48 Cross Domain Policies Same Origin Policy • ActionScript o The embedded SWF file is in the (remote) sandbox of its origin. o Therefore, it has the origin’s trust relationship with other domains! 49 Cross Domain Policies 1 2 3 50 Cross Domain Policies crossdomain.xml • Stored in the server’s web root directory o Master policy file • By default further policies aren’t permitted 51 Cross Domain Policies Further policies may be delivered • Master policy has to permit meta-policy files o Master policy’s meta-policy specification may be overridden by a meta-policy specified in the HTTP response header • X-Permitted-Cross-Domain-Policies o Meta-policy files have to be loaded manually by the SWF application • Security.loadPolicyFile(url:String) 52 Cross Domain Policies Possible meta-policies (master policy configuration) • All • by-content-type (Content-Type: text/x-cross-domain-policy) • by-ftp-filename (/crossdomain.xml) • master-only • None (ignores even the master policy file) • none-this-response (HTTP response header) 53 Cross Domain Policies Meta-policy restrictions • Content-Type